Policy-based network security management is implemented on networks through use of management software, such as CiscoSecure Policy Manager (CSPM) from Cisco Systems Inc. Typically, an administrator enters, into the management software, information that identifies a list of security policies, topology information, and other parameters that may be pertinent for managing security policies. The management software uses the information to determine possible network paths on which security policies are to be implemented. The management software then enforces the security policies on the identified paths.
In some networks, such as interconnected Local Area Networks (LANs), the network paths that are determined by the software management are numerous, often numbering in tens. However, many, if not most of the network paths that are determined by the management software are never actually used because of various network configurations. For example, routing configurations may preclude the use of certain network paths. Due to the complexity of typical networks, the information contained in routing configurations is not always available for use in eliminating unusable network paths from consideration when determining where security policies should be enforced on the network. The result is that the management software implements and manages security policies on network paths that are never actually used.
Previous approaches for eliminating enforcement of security policies on unused network paths have been attempted with varying degrees of success. One approach involves the use of path restriction rules. A path restriction rule usually requires an administrator to identify impermissible combinations of input and output interfaces to firewalls. For example, in a scenario where there is a first firewall having a first interface, and a second firewall having a second interface, an administrator may create a path restriction rule that prohibits any traffic passing into the first firewall through the first interface from passing out of the second firewall through the second interface. As a result, some topological paths are disqualified from becoming paths that can be utilized by the management software.
This approach is problematic because in most cases, many path restrictions are required to make a noticeable difference for managing the security policies. When many path restrictions are used, the net effect of all of the path restrictions is difficult to determine. Moreover, the approach fails to satisfy many scenarios, and the result is that security policies are enforced on many network paths that are never used.
Another typical approach is to calculate all possible paths between a given source node and destination node, and enable the administrator to select paths that will be managed by security policies from all of the possible paths. This approach places a considerable burden on the administrator, because there is often an overwhelming number of possible paths that make path selection by the administrator laborious and time-intensive.
Another approach is to enter routing entries as part of the topology, so as to allow the management software to consider the routing entries in determining all of the possible network paths. This approach requires the user to enter each routing entry. In large networks, the number of routing entries is too large to be efficiently entered and used.
Therefore, there is a need to reduce extraneous network paths when implementing, enforcing and/or managing security policies on a network. There is also a need for reducing the number of routing entries that are to be used for determining which network paths should have security policies enforced upon them.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.